Skip to main content

IBM Langflow CVE-2026-8859

CRITICAL
Path Traversal (CWE-22)
2026-07-17 ibm
9.9
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
CRITICAL
qualitative
NVD
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.4 HIGH

AC:H because Save-to-File must be enabled and the victim flow must hit an attacker-controlled server; PR:L for flow-author access; C:L since a write primitive yields only indirect confidentiality; I:H/A:H for arbitrary write and S:C for host-level reach.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 19:46 vuln.today
CVE Published
Jul 17, 2026 - 18:58 cve.org
CRITICAL 9.9

DescriptionNVD

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to write arbitrary files to unintended locations due to improper input validation in the APIRequest component. A path traversal vulnerability exists when the "Save to File" feature is enabled, where filenames extracted from HTTP response Content-Disposition headers are not sanitized before being joined to the temporary directory path. An attacker controlling an external HTTP server can supply crafted filename values containing path traversal sequences (e.g., ../), enabling arbitrary file writes to locations accessible by the Langflow process.

AnalysisAI

Arbitrary file write in IBM Langflow OSS 1.0.0 through 1.10.0 lets an attacker who controls an external HTTP server plant files at attacker-chosen paths on the Langflow host. The flaw lives in the APIRequest component's 'Save to File' feature, which trusts filenames from a response Content-Disposition header without sanitizing path traversal sequences, so a malicious server response can escape the temporary directory and write to any location the Langflow process can reach. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker controls upstream HTTP server
Delivery
Langflow flow calls attacker URL with Save-to-File on
Exploit
Malicious Content-Disposition filename with ../ returned
Execution
Filename joined to temp path unsanitized
Persist
Arbitrary file written outside temp dir
Impact
Overwrite code/config for RCE

Vulnerability AssessmentAI

Exploitation Exploitation requires the APIRequest component's 'Save to File' feature to be explicitly enabled (a non-default setting), and a Langflow flow that issues an HTTP request to a server the attacker controls or can poison - the attacker must sit on that upstream endpoint to inject a malicious Content-Disposition filename containing '../' sequences. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment IBM's CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, score 9.9) reflects a network-reachable, low-privilege, scope-changing file write with full CIA impact - an arbitrary write primitive that commonly escalates to remote code execution by overwriting code, startup scripts, or configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up (or compromises) an HTTP endpoint that a Langflow flow's APIRequest component is configured to call with 'Save to File' enabled. When the flow fetches the URL, the attacker's response includes a Content-Disposition header such as filename="../../app/startup.py", causing Langflow to write attacker-supplied content outside the temp directory and potentially achieve code execution on the next process load. …
Remediation Patch available per vendor advisory - apply the fixed IBM Langflow OSS release referenced at https://www.ibm.com/support/pages/node/7278924 (exact fixed version not stated in the provided data; confirm the target version in the advisory before upgrading and do not assume a version number). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all deployments of Langflow 1.0.0-1.10.0 across your infrastructure and identify systems requiring immediate updates. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-10561 CRITICAL
10.0 Jun 22

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom

CVE-2026-7873 CRITICAL
9.9 Jun 30

Code injection in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets an authenticated user execute arbitrary operating-

CVE-2026-8476 CRITICAL
9.9 Jul 17

Remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 allows attackers to run arbitrary code by planting a mali

CVE-2026-8481 CRITICAL
9.9 Jul 17

Authenticated remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 lets any logged-in user run arbitrary Pytho

CVE-2026-8635 CRITICAL
9.9 Jul 17

Privilege escalation to remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 allows an authenticated user to e

CVE-2026-9135 CRITICAL
9.9 Jul 17

Arbitrary Python code execution in IBM Langflow OSS 1.0.0 through 1.10.0 (Langflow versions up to 1.9.2) allows authenti

CVE-2026-7871 CRITICAL
9.8 Jun 30

Insecure deserialization (CWE-502) in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any party with access to the b

CVE-2026-7803 CRITICAL
9.8 Jun 30

Arbitrary code execution in IBM Langflow OSS versions 1.0.0 through 1.10.0 allows remote attackers to run code on the ho

CVE-2026-7664 CRITICAL
9.8 Jun 22

Authorization bypass in IBM Langflow OSS 1.0.0 through 1.8.4 allows unauthenticated remote attackers to access protected

CVE-2026-7663 CRITICAL
9.8 Jun 30

Improper authorization enforcement in IBM Langflow OSS 1.0.0 through 1.9.6 lets unauthenticated remote attackers reach p

CVE-2026-8505 CRITICAL
9.8 Jul 17

Unauthenticated remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 stems from broken webhook authentication

CVE-2026-9103 CRITICAL
9.8 Jul 17

Authentication bypass in IBM Langflow OSS 1.0.0 through 1.10.0 lets an unauthenticated remote attacker retrieve a long-l

Share

CVE-2026-8859 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy